DOCSLIB.ORG

Defence R&D Canada

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Defence R&D Canada Installing and configuring a declassification system A solution combining Trusted Solaris and Free and Open Source Software Richard Carbone Certified Hacking Forensic Investigator (EC-Council CHFI) Certified Incident Handler (SANS) DRDC Valcartier Simon Vincent Collège O’Sullivan Defence R&D Canada – Valcartier Technical Memorandum DRDC Valcartier TM 2009-086 February 20113 Installing and configuring a declassification system A solution combining Trusted Solaris and Free and Open Source Software Richard Carbone Certified Hacking Forensic Investigator (EC-Council CHFI) Certified Incident Handler (SANS) DRDC Valcartier Simon Vincent Collège O'Sullivan Defence R&D Canada – Valcartier Technical Memorandum DRDC Valcartier TM 2009-086 February 2013 Principal Author Original signed by Richard Carbone Richard Carbone Programmer/Analyst Approved by Original Signed by Guy Turcotte Guy Turcotte Head/Mission Critical Cyber Security Section Approved for release by Original signed by Christian Carrier Christian Carrier Chief Scientist © Her Majesty the Queen in Right of Canada, as represented by the Minister of National Defence, 2013 © Sa Majesté la Reine (en droit du Canada), telle que représentée par le ministre de la Défense nationale, 2013 Abstract …..... In spring 2008, certain project requirements necessitated the use and implementation of a system that could be used to declassify classified data for use on unclassified systems and networks. Some of the researchers at Defence Research Development Canada – Valcartier wished to be able to share declassified versions of their work with others. However, data residing on classified systems and networks cannot easily be transmitted to unclassified systems. Although it can be done, a variety of safeguards, data containment and compartmentalization and various procedures must be followed for doing so. The challenge is not so much the procedures and safeguards, but rather using an accredited system for containing and compartmentalizing the data to be declassified. Since no DND policy is clear on which systems to use or the process by which data can be declassified, the primary author decided that by combining commercially available software with specific FOSS components, a secure system could be built that would satisfy even the most stringent security requirements. The solution chosen was a combination of Trusted Solaris and various commonly used FOSS packages. This memorandum therefore describes how such a system is built and configured. Résumé …..... Au printemps 2008, certaines exigences de projets nécessitaient l’utilisation et l’implantation d’un système qui pourrait être utilisé pour déclassifier des données classifiées pour une utilisation sur des systèmes et des réseaux non classifiés. Certains chercheurs à Recherche et développement pour la défense Canada – Valcartier voulaient être en mesure de partager des versions déclassifiées de leurs travaux avec d’autres. Toutefois, des données résidant sur des systèmes et réseaux classifiés ne peuvent pas facilement être transmises sur des systèmes non classifiés. Même si cela peut être fait, un éventail de protections ainsi que différentes procédures pour le confinement et le cloisonnement des données, entre autre, doivent être suivies pour y parvenir. Le défi n'est pas tant les procédures et les protections, mais plutôt l’utilisation d’un système accrédité pour le confinement et le cloisonnement des données à être déclassifiées. Puisqu’aucune politique du MDN est claire sur les systèmes à utiliser ou le processus par lequel les données peuvent être déclassifiées, l’auteur principal décida qu’en combinant des logiciels commerciaux disponibles avec des composants à code source libre et ouvert, un système sécuritaire qui satisferait même les exigences de sécurité les plus strictes pourrait être construit. La solution choisie est une combinaison de Trusted Solaris et de différents progiciels à code source libre et ouvert couramment utilisés. Ce mémorandum décrit donc comment un tel système est construit et configuré. DRDC Valcartier TM 2009-086 i This page intentionally left blank. ii DRDC Valcartier TM 2009-086 Executive summary Installing and configuring a declassification system: A solution combining Trusted Solaris and Free and Open Source Software Carbone, R.; DRDC Valcartier TM 2009-086; Defence R&D Canada – Valcartier; February 2013. Specific classified projects require that eventually, data and results obtained from systems specific to one or more classified networks be shared and disseminated with colleagues and various collaborators. However, declassifying data is not an easy task. Unless there exist two simultaneous versions of an experiment, each conducted independently of the other (one classified and the other unclassified), results from the classified experiment cannot generally be released, as it would be deemed to derive, directly or indirectly, from a classified project. Of course, certain classified specifics can always be generalized to the point that the data can be readily declassified. However, it is not only experiments and their results that require occasional declassification. Other instances may necessitate those different types of files detailing various specifics, whether about a project, experiment, research or collaboration, to be shared and disseminated with others. The problem in so doing is that often individuals wishing to receive a copy of the classified file(s) either do not have adequate access or the files are deemed “need to know”, thereby restricting the files, their data and potential audience. However, if the files can be adequately stripped of details and information concerning highly classified materials and other “need to know only” material, then the files can be disseminated across a larger community. This dissemination enables researchers to further share and propagates their ideas, technologies and results. This larger audience may be able to provide additional contributions or refinements to the shared work they received. Of course, those in this larger community must have adequate security clearances so that they can work on and access the material in question. The problem of data declassification is not a new one, as it is has persisted and plagued security researchers, system administrators and information security officers for many years. However, systems already exist which are fully capable of handling, storing and processing data at multiple levels of classification. These systems are commonly referred to as MLS (multi-level security) systems and are used extensively by military and intelligence agencies throughout the world for treating and working with classified electronic information. Some of these systems have obtained TCSEC (and where applicable Common Criteria) accreditation; as such, some of can be readily accepted in high-security environments, as approved by their national accreditation agency. This memorandum will therefore demonstrate how a readily procured commercial MLS system, Trusted Solaris 8 (TSOL), when combined with appropriate open source software, can be used for editing and stripping out classified material from a file which, upon approval, can be downgraded and disseminated at a lower level of classification. However, this memorandum does not assume that highly classified data can simply, upon editing, be downgraded to a publicly releasable version. On the contrary, it is assumed that a file will be undergoing appropriate modification to go from highly classified to a lower level of classification. However, the original file nevertheless remains classified. DRDC Valcartier TM 2009-086 iii Sommaire ..... Installing and configuring a declassification system: A solution combining Trusted Solaris and Free and Open Source Software Carbone, R. ; DRDC Valcartier TM 2009-086 ; R & D pour la défense Canada – Valcartier; février 2013. Certains projets classifiés particuliers exigent qu’éventuellement, les données et les résultats obtenus à partir de systèmes spécifiques à un ou plusieurs réseaux classifiés, soient partagés et diffusés avec plusieurs collègues et collaborateurs. Toutefois, déclassifier des données n'est pas une tâche facile. À moins qu’il existe deux versions d’une même expérience, chacune menée de façon indépendante l’une de l'autre (l’une classifiée et l’autre pas), les résultats de l'expérience classifiée ne peuvent généralement pas être communiqués, car ils seraient considérés comme dérivant, directement ou indirectement, d’un projet classifié. Bien sûr, certaines particularités peuvent toujours être généralisées au point où les données peuvent être facilement déclassifiées. Cependant, ce ne sont pas seulement des expériences et leurs résultats qui exigent une déclassification occasionnelle. D'autres cas peuvent nécessiter que différents types de fichiers, fournissant des détails, que ce soit à propos d’un projet, d’une expérience, d’une recherche ou d’une collaboration, doivent être partagés et diffusés avec d’autres. Le problème, ce faisant, est que souvent, les personnes qui souhaitent recevoir une copie du ou des dossiers classifié(s) n’ont soit pas un accès adéquat ou les fichiers ont une nécessité d'accès, limitant ainsi leur public potentiel. Cependant, si les fichiers peuvent être adéquatement dépouillés des détails et des informations concernant du matériel hautement classifié ou avec une nécessité d’accès, ils peuvent être diffusés à une communauté élargie. Cette diffusion permet aux chercheurs de partager et de propager davantage leurs
Load more

Recommended publications
  • NSA Security-Enhanced Linux (Selinux)
    Integrating Flexible Support for Security Policies into the Linux Operating System http://www.nsa.gov/selinux Stephen D. Smalley [email protected] Information Assurance Research Group National Security Agency ■ Information Assurance Research Group ■ 1 Outline · Motivation and Background · What SELinux Provides · SELinux Status and Adoption · Ongoing and Future Development ■ Information Assurance Research Group ■ 2 Why Secure the Operating System? · Information attacks don't require a corrupt user. · Applications can be circumvented. · Must process in the clear. · Network is too far. · Hardware is too close. · End system security requires a secure OS. · Secure end-to-end transactions requires secure end systems. ■ Information Assurance Research Group ■ 3 Mandatory Access Control · A ªmissing linkº of security in current operating systems. · Defined by three major properties: ± Administratively-defined security policy. ± Control over all subjects (processes) and objects. ± Decisions based on all security-relevant information. ■ Information Assurance Research Group ■ 4 Discretionary Access Control · Existing access control mechanism of current OSes. · Limited to user identity / ownership. · Vulnerable to malicious or flawed software. · Subject to every user©s discretion (or whim). · Only distinguishes admin vs. non-admin for users. · Only supports coarse-grained privileges for programs. · Unbounded privilege escalation. ■ Information Assurance Research Group ■ 5 What can MAC offer? · Strong separation of security domains · System, application, and data integrity · Ability to limit program privileges · Processing pipeline guarantees · Authorization limits for legitimate users ■ Information Assurance Research Group ■ 6 MAC Implementation Issues · Must overcome limitations of traditional MAC ± More than just Multi-Level Security / BLP · Policy flexibility required ± One size does not fit all! · Maximize security transparency ± Compatibility for applications and existing usage.
    [Show full text]
  • Spf Based Selinux Operating System for Multimedia Applications
    International Journal of Reviews in Computing st 31 December 2011. Vol. 8 IJRIC © 2009 - 2011 IJRIC & LLS. All rights reserved. ISSN: 2076-3328 www.ijric.org E-ISSN: 2076-3336 SPF BASED SELINUX OPERATING SYSTEM FOR MULTIMEDIA APPLICATIONS 1NITISH PATHAK, 2NEELAM SHARMA 1BVICAM, GGSIPU, Delhi, India 2Department of Information Technology, Maharaja Agrasen Institute of Technology, Delhi, India E-mail: [email protected], [email protected] ABSTRACT Trusted Operating Systems, offer a number of security mechanisms that can help protect information, make a system difficult to break into, and confine attacks far better than traditional operating systems. However, this security will come at a cost, since it can degrade the performance of an operating system. This performance loss is one of the reasons why Trusted Operating Systems have not become popular. While Trusted Operating Systems offer an incredible amount of security, observations about computing workloads suggest that only some parts of the operating system security are actually necessary. Web servers are the best example. For many web servers, the majority of the information on the server is publicly readable and available on the Internet. Therefore, if a Trusted Operating System is used on a web server, any security used to secure the confidentiality of the server’s information is not necessary. Any security used to protect the confidentiality of web server data can be considered a waste of computational resources. The security needed in web servers is the security to protect the integrity of data, not the confidentiality of data. Other workloads such as multimedia or database workloads may also only need parts of the operating system security.
    [Show full text]
  • Looking Back: Addendum
    Looking Back: Addendum David Elliott Bell Abstract business environment produced by Steve Walker’s Com- puter Security Initiative.3 The picture of computer and network security painted in What we needed then and what we need now are “self- my 2005 ACSAC paper was bleak. I learned at the con- less acts of security” that lead to strong, secure commercial ference that the situation is even bleaker than it seemed. products.4 Market-driven self-interest does not result in al- We connect our most sensitive networks to less-secure net- truistic product decisions. Commercial and government ac- works using low-security products, creating high-value tar- quisitions with tight deadlines are the wrong place to ex- gets that are extremely vulnerable to sophisticated attack or pect broad-reaching initiatives for the common good. Gov- subversion. Only systems of the highest security are suffi- ernment must champion selfless acts of security separately cient to thwart such attacks and subversions. The environ- from acquisitions. ment for commercial security products can be made healthy again. 3 NSA Has the Mission In 1981, the Computer Security Evaluation Center was 1 Introduction established at the National Security Agency (NSA). It was charged with publishing technical standards for evaluating In the preparation of a recent ACSAC paper [1], I con- trusted computer systems, with evaluating commercial and firmed my opinion that computer and network security is in GOTS products, and with maintaining an Evaluated Prod- sad shape. I also made the editorial decision to soft-pedal ucts List (EPL) of products successfully evaluated. NSA criticism of my alma mater, the National Security Agency.
    [Show full text]
  • A Survey of Security Research for Operating Systems∗
    A Survey of Security Research for Operating Systems∗ Masaki HASHIMOTOy Abstract In recent years, information systems have become the social infrastructure, so that their security must be improved urgently. In this paper, the results of the sur- vey of virtualization technologies, operating system verification technologies, and access control technologies are introduced, in association with the design require- ments of the reference monitor introduced in the Anderson report. Furthermore, the prospects and challenges for each of technologies are shown. 1 Introduction In recent years, information systems have become the social infrastructure, so that improving their security has been an important issue to the public. Besides each of security incidents has much more impact on our social life than before, the number of security incident is increasing every year because of the complexity of information systems for their wide application and the explosive growth of the number of nodes connected to the Internet. Since it is necessary for enhancing information security to take drastic measures con- cerning technologies, managements, legislations, and ethics, large numbers of researches are conducted throughout the world. Especially focusing on technologies, a wide variety of researches is carried out for cryptography, intrusion detection, authentication, foren- sics, and so forth, on the assumption that their working basis is safe and sound. The basis is what is called an operating system in brief and various security enhancements running on it are completely useless if it is vulnerable and unsafe. Additionally, if the operating system is safe, it is an urgent issue what type of security enhancements should be provided from it to upper layers.
    [Show full text]
  • Vid6014-Vr-0001 Draft
    National Information Assurance Partnership ® TM Common Criteria Evaluation and Validation Scheme Validation Report BAE Systems Information Technology, Inc. XTS-400 Version 6.4.U4 Report Number: CCEVS-VR-VID10293-2008 Dated: July 3, 2008 Version: 2.3 National Institute of Standards and Technology National Security Agency Information Technology Laboratory Information Assurance Directorate 100 Bureau Drive 9600 Savage Road Suite 6757 Gaithersburg, Maryland 20878 Fort George G. Meade, MD 20755-6740 i Acknowledgements: The TOE evaluation was sponsored by: BAE Systems Information Technology Inc. Evaluation Personnel: Arca Common Criteria Testing Laboratory Ms. Diann Carpenter Mr. J. David Thompson Dr. Gary Grainger Mr. John Boone Ms. Louise Huang Mr. Ray Rugen Mr. Ken Dill The National Security Agency . Validation Personnel: Dr. Jerome Myers, The Aerospace Corporation Mr. Daniel Faigin, The Aerospace Corporation ii Table of Contents 1 Executive Summary................................................................................................................ 1 2 Identification............................................................................................................................ 3 3 Security Policy ........................................................................................................................ 5 3.1 Identification and Authentication Policy ......................................................................... 5 3.2 Mandatory Access Control Policy .................................................................................
    [Show full text]
  • Freebsd Advanced Security Features
    FreeBSD Advanced Security Features Robert N. M. Watson Security Research Computer Laboratory University of Cambridge 19 May, 2007 Introduction ● Welcome! – Introduction to some of the advanced security features in the FreeBSD operating system ● Background – Introduce a series of access control and audit security features used to manage local security – Features appeared between FreeBSD 4.0 and FreeBSD 6.2, and build on the UNIX security model – To talk about new security features, we must understand the FreeBSD security architecture 19 May 2007 2 Post-UNIX Security Features ● Securelevels ● IPFW, PF, IPFilter ● Pluggable ● KAME IPSEC, authentication FAST_IPSEC modules (OpenPAM) ● Access control lists ● Crypto library and (ACLs) tools (OpenSSL) ● Security event audit ● Resource limits ● Mandatory access ● Jails, jail securelevels control (MAC) ● GBDE, GELI ● 802.11 security 19 May 2007 3 Brief History of the TrustedBSD Project ● TrustedBSD Project founded in April, 2000 – Goal to provide trusted operating system extensions to FreeBSD – DARPA funding began in July, 2001 – Continuing funding from a variety of government and industry sponsors – Work ranges from immediately practical to research – While many of these features are production- quality, some are still under development – Scope now also includes Apple's Mac OS X 19 May 2007 4 FreeBSD Security Architecture 19 May 2007 5 FreeBSD Security Architecture ● FreeBSD's security architecture is the UNIX security architecture – Entirely trusted monolithic kernel – UNIX process model – Kernel UIDs/GIDs driven by user-space user mode – Privileged root user – Various forms of access control (permissions, ...) ● Security features discussed here extend this security model in a number of ways 19 May 2007 6 Kernel and User Processes Kernel s s Inter-process e l c l communication c a a c m m e e t t s s y y s s e l i F User User User ..
    [Show full text]
  • CS526: Information Security
    Cristina Nita-Rotaru CS526: Information security Trusted Computing Base. Orange Book, Common Criteria Related Readings for This Lecture • Wikipedia } Trusted computing base } TCSEC } Common Criteria, } Evaluation Assurance Level 2 TCB Trusted vs. Trustworthy } A component of a system is trusted means that } the security of the system depends on it } if the component is insecure, so is the system } determined by its role in the system } A component is trustworthy means that } the component deserves to be trusted } e.g., it is implemented correctly } determined by intrinsic properties of the component Trusted Operating System is actually a misnomer 3 TCB Trusted Computing Base } A trusted computing base is the set of all hardware, software and procedural components that enforce the security policy. } in order to break security, an attacker must subvert one or more of them. } What consists of the conceptual Trusted Computing Based in a Unix/Linux system? } hardware, kernel, system binaries, system configuration files, etc. 4 TCB Trusted Path } A trusted path is a mechanism that provides confidence that the user is communicating with what the user intended to communicate with (typically TCB) } attackers can't intercept or modify whatever information is being communicated. } defends attacks such as fake login programs } Example: Ctrl+Alt+Del for log in on Windows 5 TCB Trusted Computing and Trusted Platform Module } Trusted Computing means that the computer will consistently behave in specific ways, and those behaviors will be enforced by hardware and software. } Trusted Computing Group } an alliance of Microsoft, Intel, IBM, HP and AMD; } promotes a standard for a `more secure' PC.
    [Show full text]
  • Achieving Cross-Domain Collaboration in Heterogeneous Environments
    UNCLASSIFIED/UNLIMITED Achieving Cross-Domain Collaboration in Heterogeneous Environments Mr. Thomas Macklin and Ms. Phyllis Jenket Naval Research Laboratory 4555 Overlook Ave, S.W. Washington, D.C. 20375 USA E-mail: [email protected] [email protected] ABSTRACT The military community relies on chat and Instant Message (IM) technologies for planning operations and near real-time collaboration. For all of the strengths of chat/IM technologies, they do not lend themselves well to use within conventional cross-domain communications architectures. The United States Naval Research Laboratory (NRL) has developed a portable, hybrid architecture that introduces multilevel security (MLS) technologies into environments comprised of multiple security levels (MSL). This architecture was then used as the framework for integrating various software systems into an enabling capability for cross- domain chat. The resultant multilevel chat system utilizes various trusted mechanisms to maintain strong process separation, privilege management, and communications interface control. This multilevel chat system was then used in a limited operational experiment (LOE) to enable users in disparate security domains to collaborate with each other based on a pre-defined, tested, and approved system security policy. Efforts are currently underway to develop a certification profile for this system, as well as for the system’s hybrid multilevel architecture. We hope to determine the scalability of this architecture through future operational test scenarios. We are also investigating the scope of the solution set to which this architecture may apply, including multilevel web services. 1.0 INTRODUCTION As NATO and its member nations move forward in transforming from platform-centric to network-centric force structures, a shift in the nature of the technological problems has occurred.
    [Show full text]
  • The Trustedbsd MAC Framework
    The TrustedBSD MAC Framework: Extensible Kernel Access Control for FreeBSD 5.0 Robert Watson Wayne Morrison Network Associates Laboratories Network Associates Laboratories Rockville, MD Rockville, MD [email protected] [email protected] http://www.nailabs.com/ Chris Vance Brian Feldman Network Associates Laboratories FreeBSD Project Rockville, MD Rockville, MD [email protected] [email protected] http://www.nailabs.com/ Abstract 2 The Desire For Access Control Exten- We explore the requirements, design, and implemen- sions tation of the TrustedBSD MAC Framework. The FreeBSD serves two primary markets: it is both a con- TrustedBSD MAC Framework, integrated into FreeBSD sumer operating system and a technology source for 5.0, provides a flexible framework for kernel access con- third party operating systems or high-end embedded trol extension, permitting extensions to be introduced products. FreeBSD is directly employed as a produc- more easily, and avoiding the need for direct modifica- tion server and workstation operating system on main- tion of distributed kernel sources. We also consider the stream i386, Alpha, and SPARC64 hardware. In the performance impact of the Framework on the FreeBSD high-end embedded market, it is used as the basis for 5.0 kernel in several test environments. network and storage appliance devices such as firewalls, network-attached storage, and VPN devices; it is also 1 Introduction used as a technology source for third party operating Access control extensions have proved a fertile field for system, including Apple’s Mac OS X Darwin kernel, as operating system security research over the past twenty well as by other operating system vendors.
    [Show full text]
  • Vaulted VPN: Compartmented Virtual Private Networks on Trusted Operating Systems
    Vaulted VPN: Compartmented Virtual Private Networks on Trusted Operating Systems Tse-Huong Choo Extended Enterprise Laboratory HP Laboratories Bristol HPL-1999-44 March, 1999 E-mail: [email protected] VPN, Virtual Private Networks for IPSec based on an virtual vault, intermediate packet-redirector in network-protocol IPSec stacks are becoming increasingly common for many standard operating systems and represent a well- understood method for retro-fitting such systems with IPSec support. This report describes how a different design structured around a Trusted Operating System can offer better security, performance and robustness. We describe in detail an implementation of an IPSec VPN consisting of a series of compartmented, concurrently executing IPSec stacks. The motivations and security-related benefits behind each design decision are discussed. In addition, we show how a configuration of independent IPSec stacks based on this design can be configured to execute in parallel for greater performance, and how its design allows individual component-failures without affecting the system as a whole. Internal Accession Date Only Ó Copyright Hewlett-Packard Company 1999 1 Introduction There is an increasing prevalence of IPSec Virtual Private Networks (VPNs) based around an approach of inserting a plug-in into the network protocol stack of mainstream operating-systems. This plug-in typically redirects any incoming or outgoing network packet in order to perform IPSec-specific processing such as encryption or decryption. This approach is well understood and has been mentioned in many standard texts, most notably the IETF RFCs for IPSec [2][3]. However, this approach is not without its weaknesses. The important, but often conflicting design goals of security, performance and robustness often leads to cases where the development of one goal requires trade-offs in the other.
    [Show full text]
  • HP Security Handbook
    The HP Security Handbook Vice President, HP Security Office Tony Redmond HP Security Handbook Lead Jan De Clercq Layout, Illustrations, Graphics and Production Lead Killian McHugh Primary Content Editors and Strategists Governance and Compliance: Stuart Hotchkiss (Lead) Proactive Security Management: Keith Millar (Lead) Identity Management: Jan De Clercq (Lead), Mark Crosbie Trusted Infrastructure: Boris Balacheff (Lead), Iver Band, Archie Reed, Mark Schiller, Bill Wear Innovation in Security: Simon Shiu (Lead), Joe Pato Additional Content Contributors Governance and Compliance: Lois Boliek, John Carchide, Frederic Gittler, David Graves, Jim Hoover, Cheryl Jackson, Paul Jeffries, Bill Kowaleski, Tari Schreider, Saida Wulteputte, Mike Yearworth Proactive Security Management: Hayden Brown, John Carchide, Tracy DeDore, Paul Jeffries, Montserrat Mane, Jim O'Shea, Christopher Peltz, Sarah Porten, Yann Vermast, Brian Volkoff, Doug Young Identity Management: Sai Allavarpu, Jean-Michel Argenville, Carolyn Bosco, Pete Bramhall, Christian Fischer, Ronald Luman, Marco Casassa Mont, Robert Neal-Joslin, Jason Rouault, Scott Swist, Ibrahim Wael, Manny Novoa Trusted Infrastructure: Enrico Albertin, Shivaun Albright, Sunil Amanna, Mike Balma, Ron Carelli, Lynne Christofanelli, Paul Congdon, Joanne Eames, Janusz Gebusia, Gary Lefkowitz, Shab Madina, Sunil Marolia, John Rhoton, Steve Scott, Rick Supplee, Tom Welsh, Chris Whitener Innovation in Security: Adrian Baldwin, Richard Brown, Chris Dalton, Bill Horne, Ed McDonnell, David Pym, Martin Sadler, Steve Simske, Richard Smith The HP Security Handbook is available online at www.hp.com/go/security/securityhandbook. For feedback, please e-mail [email protected]. For additional printed copies, please see your HP Sales Representative. About HP HP is a technology company that operates in more than 170 countries around the world.
    [Show full text]
  • Securing Commercial Operating Systems
    91 C H A P T E R 7 Securing Commercial Operating Systems Since the discovery of the reference monitor concept during the development of Multics, there have been many projects to retrofit existing commercial operating systems with a true reference monitor implementation. Successful, commercial operating systems can have a large customer base and a variety of popular applications. As a result, those customers with strong secrecy and integrity requirements (e.g., US Government) often encourage the construction of secure versions of existing commercial operating systems. Many such systems have been retrofitted over the years. In this chapter, we explore some of the commercial systems that have been retrofitted with reference monitors. The aim is not for completeness, as there are far too many systems, but we want to capture the distinct movements in creating a secure operating system from an existing commercial system. Converting an existing code base to one that implements a reference monitor is a challenging task. In order to be a secure operating system, the resulting code base must achieve the three reference monitor guarantees, but this is difficult because much of the code was not developed with these guarantees in mind. This contrasts markedly with the security kernel approach in Chapter 6 where the system design considers mediation, tamperproofing, and verification from the outset. After outlining the tasks involved in retrofitting a commercial operating system with a ref- erence monitor, we examine a variety of different retrofitted systems. We group these systems by a trend motivating their construction. We examine the resultant system architectures in detail for two systems: Solaris Trusted Extensions in Chapter 8 and the Linux operating system in Chapter 9.
    [Show full text]